Grant and manage access to Delta Sharing data shares

This article explains how to grant a data recipient access to a Delta Sharing share. It also explains how to view, update, and revoke access.

Requirements

To share data with recipients:

  • You must be a metastore admin, have the CREATE_SHARE privilege for the Unity Catalog metastore where the data you want to share is registered, or be the owner of both the share and recipient objects.

  • You must use a Databricks workspace that has a Unity Catalog metastore attached.

  • You must use a SQL warehouse or cluster that uses a Unity-Catalog-capable cluster access mode.

  • Shares and recipients must already be defined.

Grant recipient access to share

To grant share access to recipients, you can use Data Explorer, the Databricks Unity Catalog CLI, or SQL commands in a Databricks notebook or the Databricks SQL query editor.

Permissions required: Metastore admin or share object owner. The share object owner must also be the owner of any recipient objects being added.

To add recipients to a share (starting at the share):

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Shares tab, find and select the share.

  4. Click Add recipient.

  5. On the Add recipient dialog, start typing the recipient name or click the drop-down menu to select the recipients you want to add to the share.

  6. Click Add.

To grant share access to a recipient (starting at the recipient):

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Recipients tab, find and select the recipient.

  4. Click Grant share.

  5. On the Grant share dialog, start typing the share name or click the drop-down menu to select the shares you want to grant.

  6. Click Grant.

Run the following command in a notebook or the Databricks SQL query editor.

GRANT SELECT ON SHARE <share_name> TO RECIPIENT <recipient_name>;

SELECT is the only privilege that you can grant a recipient on a share.

Create a JSON file that includes the following, replacing recipient-name. SELECT is the only privilege that you can grant on a share.

{
  "privilege_assignments": [{
    "principal": "recipient-name",
    "privileges": [
      "SELECT"
    ]
  }]
}

Then run the following command using the Databricks CLI. Replace <share_name> with the name of the share you want to grant to the recipient, and replace update-share-perms.json with the filename of the JSON file.

databricks unity-catalog shares update-permissions --name <share_name> \
                                --json-file update-share-perms.json

Revoke recipient access to a share

To revoke a recipient’s access to a share, you can use Data Explorer, the Databricks Unity Catalog CLI, or the REVOKE ON SHARE SQL command in a Databricks notebook or the Databricks SQL query editor.

Permissions required: Metastore admin or share object owner.

To revoke a recipient’s access to a share, starting at the share:

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Shares tab, find and select the share.

  4. On the Recipients tab, find the recipient.

  5. Click the Kebab menu kebab menu (also known as the three-dot menu) and select Revoke.

  6. On the confirmation dialog, click Revoke.

To revoke a recipient’s access to a share, starting at the recipient:

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Recipients tab, find and select the recipient.

  4. On the Shares tab, find the share.

  5. Click the Kebab menu kebab menu (also known as the three-dot menu) on the share row and select Revoke.

  6. On the confirmation dialog, click Revoke.

Run the following command in a notebook or the Databricks SQL query editor.

REVOKE SELECT ON SHARE <share_name> FROM RECIPIENT <recipient_name>;

Create a JSON file that includes the following, replacing recipient-name:

{
  "changes": [{
    "principal": "recipient-name",
    "remove": ["SELECT"]
  }]
}

Run the following command using the Databricks CLI. Replace <share_name> with the name of the share you want to grant to the recipient, and replace update-share-perms.json with the filename of the JSON file.

databricks unity-catalog shares update-permissions --name <share_name> --json-file update-share-perms.json

View grants on a share or grants possessed by a recipient

To view the current grants on a share, you can use Data Explorer, the Databricks Unity Catalog CLI, or the SHOW GRANTS ON SHARE SQL command in a Databricks notebook or the Databricks SQL query editor.

Permissions required: If you are viewing recipients granted access to a share, you must be a metastore admin or the share object owner. If you are viewing shares granted to a recipient, you must be a metastore admin or the recipient object owner.

To view recipients with access to a share:

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Shares tab, find and select the share.

  4. Go to the Recipients tab to view all recipients who have access to the share.

Run the following command in a notebook or the Databricks SQL query editor.

SHOW GRANT ON SHARE <share_name>;

Run the following command using the Databricks CLI.

databricks unity-catalog shares list-permissions --name <share_name>

To view the current share grants possessed by a recipient, you can use Data Explorer, the Databricks Unity Catalog CLI, or the SHOW GRANTS TO RECIPIENT SQL command in a Databricks notebook or the Databricks SQL query editor.

To view shares granted to a recipient:

  1. In your Databricks workspace, click Data Icon Data.

  2. In the left pane, expand the Delta Sharing menu and select Shared by me.

  3. On the Recipients tab, find and select the recipient.

  4. Go to the Shares tab to view all shares that the recipient has access to.

Run the following command in a notebook or the Databricks SQL query editor.

SHOW GRANTS TO RECIPIENT <recipient_name>;

Run the following command using the Databricks CLI.

databricks unity-catalog recipients list-permissions --name <recipient_name>